CVE-2026-44573 Overview
CVE-2026-44573 is an authorization bypass vulnerability in Next.js, the React framework maintained by Vercel for building full-stack web applications. The flaw affects applications that combine the Pages Router with internationalization (i18n) configuration and rely on middleware or proxy-based authorization checks. Attackers can request locale-less /_next/data/<buildId>/<page>.json URLs to retrieve server-side rendered JSON for protected pages. Middleware does not execute for the unprefixed data route, so intended authorization checks are skipped. The issue is classified as [CWE-863] Incorrect Authorization and is fixed in Next.js 15.5.16 and 16.2.5.
Critical Impact
Unauthenticated attackers can fetch SSR JSON data for protected pages over the network, exposing confidential application data without triggering authorization middleware.
Affected Products
- Vercel Next.js versions 12.2.0 through versions prior to 15.5.16
- Vercel Next.js 16.x versions prior to 16.2.5
- Applications using the Pages Router with i18n and middleware/proxy-based authorization
Discovery Timeline
- 2026-05-13 - CVE-2026-44573 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44573
Vulnerability Analysis
Next.js exposes server-side rendered page data through an internal data route at /_next/data/<buildId>/<page>.json. When an application configures i18n and uses the Pages Router, Next.js generates locale-prefixed variants of routes. Middleware typically runs on these locale-prefixed paths and enforces authorization. However, the locale-less variant of the data route bypasses middleware execution. Attackers can construct requests directly to the unprefixed .json endpoint and receive the same SSR payload that would otherwise require authentication. The vulnerability is network-exploitable without privileges or user interaction and affects confidentiality of protected page data.
Root Cause
The root cause is inconsistent middleware invocation across locale variants of the Next.js data route. The i18n routing layer treats the locale-less /_next/data/<buildId>/<page>.json path as an internal data fetch and skips middleware execution. Authorization logic that runs only in middleware never evaluates the request. Server components still render and serialize the page data, returning it to the unauthenticated caller.
Attack Vector
An attacker identifies a protected page in a target Next.js application, for example /account/settings. The attacker locates the current build identifier from public assets, then issues a direct GET request to /_next/data/<buildId>/account/settings.json without a locale prefix. Because middleware does not run for this path, authorization headers and session checks are not enforced. The server returns the JSON props that would normally only render for authenticated users. No exploit code is required beyond crafting the request URL. See the GitHub Security Advisory GHSA-36qx-fr4f-26g5 for vendor technical details.
Detection Methods for CVE-2026-44573
Indicators of Compromise
- Requests to /_next/data/<buildId>/ paths without a locale prefix in environments where i18n is enabled
- Successful HTTP 200 responses to .json data routes from clients that lack valid authentication cookies or tokens
- Anomalous spikes in /_next/data/ traffic from a single source IP enumerating protected pages
Detection Strategies
- Inspect web server and CDN logs for /_next/data/ requests and correlate them with authentication state of the requester
- Compare request volumes between locale-prefixed and locale-less variants of the data route to surface bypass attempts
- Deploy WAF rules that flag direct access to /_next/data/ paths originating from unauthenticated sessions
Monitoring Recommendations
- Forward Next.js application logs, reverse proxy logs, and CDN access logs to a centralized SIEM for correlation
- Alert on repeated 200-status responses to /_next/data/*.json endpoints from non-browser user agents
- Track build identifiers in URL paths and monitor for enumeration of multiple protected page names
How to Mitigate CVE-2026-44573
Immediate Actions Required
- Upgrade Next.js to version 15.5.16 or 16.2.5 or later across all environments
- Audit application code that relies solely on middleware for authorization and add server-side checks inside getServerSideProps
- Inventory all Pages Router applications that use i18n to identify exposed assets
Patch Information
Vercel released fixed versions 15.5.16 and 16.2.5. Both releases ensure middleware executes for locale-less /_next/data/ paths so authorization checks apply consistently. Patch details and remediation guidance are documented in the Vercel Next.js Security Advisory.
Workarounds
- Add explicit authorization checks inside getServerSideProps for protected pages instead of relying only on middleware
- Configure a reverse proxy or CDN rule to block or require authentication for /_next/data/ requests that lack a valid locale prefix
- Migrate from middleware-only authorization to App Router route handlers where layered authorization is enforced server-side
# Update Next.js to a patched version
npm install next@15.5.16
# or for the 16.x branch
npm install next@16.2.5
# Verify the installed version
npx next --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
